Anvil is the best front end framework by far (much better than my old Macromedia Flash / Flex). The more I work with it, the more I admire the beauty of the framework and want to know more about it.
Below are some questions in my mind for a while
In the published app, how malicious users list data when authorised users loaded it into the app from the server a without interact with the app UI?
How about open new form?
In my view, it seems not possible, but nothing is impossible in the client side. Just curious how?
Any help is greatly appreciated
If you think in terms of a malicious user, you should work on the assumption that they can see and adjust any client code that exists in your web app.
If you know your way around you could, in theory, work out the incantation to trigger opening forms from the console. Or just rewrite the client code completely.
Indeed a couple years ago I wrote an app for fun. It was just a toy app. I let my students know that there were big security issues and if they tried they could probably hack it, almost laying down a challenge. I’d quickly put everything together and all validation was on the client and datatables were accessible from the client. One pupil decided to dive deep and having no prior experience with anvil (but an exceptionally good knowledge of python and JavaScript), a few days later showed me he was able to download the data! Of course if I’d been more diligent and written it with server validation checks and proper permissions set then he wouldn’t have been able to work around them by hacking the client code.
So to prevent malicious users you must validate permission on the server. Typically this means that anvil datatables are not viewable from client code. And any request for data is validated on the server, not the client.
The other point worth mentioning is that client sessions are totally separate. If user A interacts with your app from computer A this is a completely separate session from Malicious User B interacting with your app from computer B. So allowing user A to see their data will Not mean that user B can see user As data. They have no access to user As session.
Not necessarily, once you’ve loaded a page you can cache the page so that they load lighting fast next time.
I typically have to do server calls to load some data for each page.
Maybe I’ll get as much data on the initial server call as I can aiming to keep algorithms around .3 seconds. This might serve multiple pages. And any calls to get data will check user credentials on the server.
If a malicious user were trying to visit a different page then it wouldn’t work because it just wouldn’t have anything to display…
Of course, depends on the web app and the set up I guess. I’m sure there will be several users on the forum who have combined the speed that you get with a one page app, with the need for security and server side validation.